Germany in trouble with EC over lack of ISP, telecom data retention

All EU nations are supposed to retain ISP and telecommunication data.

The European Commission is preparing to refer Germany to the European Court of Justice in Luxembourg, for failing to introduce a new law that would put it in line with the European data retention directive, according to a new report from Reuters.

In 2006, the EU passed a directive in the wake of the London and Madrid terrorist attacks that compels ISPs and telecommunications companies to retain all e-mails, phone calls, and related data. These directives, while mandated from Brussels, must be written into the law of each of the 27 member states at the national level. However, since the directive, Germany, Romania, and the Czech Republic have had their national laws overturned by their courts.

Many online activists have long complained against the data retention directive.

"For data retention to be legal under the EU’s charter on fundamental rights says that measures that restricts fundamental rights need to be 'necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others,'" wrote Joe McNamee of European Digital Rights, in an e-mail sent to Ars. "However, the implementation report published last year showed very clearly that data retention is not necessary. Statistics from EU member states from before and after implementation of data retention shows that it is not necessary. Data retention is therefore unquestionably illegal under European law."

"Instead of bringing Germany to court, the EU Commission would do better, to start withdrawing the data retention directive and not postpone again and again the evaluation of the directive,” he wrote.

Even non-Europeans, like Katitza Rodriguez, of the Electronic Frontier Foundation, say that this situation may have broader implications.

"This legal action against Germany puts the European Union's credibility to the protection of privacy internationally at risk," she wrote in an e-mail to Ars.

"On one hand, the European Union has always taken a strong stand in protecting and promoting data protection legislation vis-à-vis companies, — a legislation that has been praised by the international privacy community. On the other hand, it has adopted one of the most intrusive anti-privacy, anti-free expression, anti-association pieces of legislation in the European Union vis-à-vis governments. Instead of taking action against Germany, the European Union should uphold its commitment to human rights and repeal this mass surveillance Directive."

16 Reader Comments

I'm surprised so many other countries went along with it, seems like a terrible burden. I know there was a bill in the US that would require 18 months of data retention, not sure what happened with that.

Does anybody care to explain why the Deutsche Telekom was then in turn already kept my data for a year before deleting hence allowing New Line Cinema to threaten me, because someone allegedly used my IP to upload "The Mechanic"? Obviously the law firm representing NLC used a court order to obtain that data from the Telekom. How is Germany then any different then?

Badly informed or just suggestive article.Quote:"Under the directive the police and security agencies will be able to request access to details such as IP address and time of use of every email, phone call and text message sent or received."That's bad enough, but it's not "email retention", because it's not content retention.So you're safe if you use gmail.com because then only Uncle Sam will read your emails.

Not really.They already had the retention from 2008 to 2010, when the highest German court (Bundesverfassungsgericht) overthrew the law, which was made based on the EU-directive.If it was for the ministers of state in recent years, Germany would still have it, and even for petty crimes.

The thing is this law does not have support among the residents of EU countries (I know for sure in one and have a hard time the rest would think to much different). It's politicians that makes laws and does not (mostly) matter on whom you vote they always do the same thing, say good things and do bad things....

I do have a problem with this law, not so much of my "illegal activities" it's more of "how long until this system gets hacked/leaks info?" Sure many people don't want to be tracked due to their file sharing, but many care about privacy.There happens to be (as far as I know) only one ISP that encrypts it's logs and I'm going to switch to them as soon as I can...

I really wonder what will happen when/(if) some country go "evil" and start searching these logs for whatever reason to do "evil"...

I guess that Germany have a good chance to defend itself if uses a good strategy. The data retention directive is clashing other higher level EU norms. The whole directive should have been withdrawn.

Why no one mentioned RIAA yet? The directive is well-known to be lobbied by them, and Galatian's comment clearly shows why.

Probably because in Germany they are called GEMA and the RIAA are like little fluffy pets compared to them. I.e. most of the Youtube videos posted here are censored in Germany because they have some kind of music in them (there is no "fair use" in Germany which is also why a lot of universities got sued in recent years)

Right now nobody in Germany is passing the law because it is so unpopular and the CDU and FDP (the reigning parties) are afraid to loose even more followers. Most of the people are actually quite comfortable with the status quo.

I do have a problem with this law, not so much of my "illegal activities" it's more of "how long until this system gets hacked/leaks info?"

My primary concern would be "how long until they make it legal to use the data not only for serious crimes, but whatever they want?"

In Baden-Wuerttemberg, the south-western state, the state prosecution recently spoke in favor of the data retention and had an example that makes you think. There's a kind of fraud called the grandson-fraud in which criminals call older people and try to convince them to be relatives and hand over money to someone they supposedly sent.In short they are already bold enough to openly ask to log all communication metadata from 10 million people to be able to solve ~250 cases a year with less than half a million Euro in damages.

Another problem with the EU and any other data retention mandate is that the information is inevitably going to be subpoenaed in civil cases.

In Poland, the data retention law is frequently used to go after petty criminals, tax dodgers and parties in divorce cases.And recently the European Court of Justice approved iin principle the use of trafick data in copyright lawsuits.

The troubling defense of mandatory data retention is often that data retention is only incident to the state's power to intercept communication or search a location for evidence.

If this is correct, the state would necessarily have the power to monitor any location or activity capable of generating information relevant to a forensics investigation - or in other words any place and any information in the known universe.

It's actually way more complicated than stated in the article. The german constitutional court redacted the law, yes, but it also laid the groundwork under which circumstances such a retention would be legal. Some of it is quite technical, but the rough outline is: only decentralized storage, very definite storage time frame, high hurdles to access the data, compensation for the telecom operators to store the data. Also, actually no content can be stored (no text messages, no e-mails), only access times, addresses and forth.Especially the part about the hurdles to access data is interesting. Of course, you would need a court order. Private entities (i.e. companies) would not be able to get one, they'd have to file a complaint with police. Also, it should be limited to severe crimes. A hint about what the court considers severe would be the injunction it installed against the law during the original proceedings. In that injunction, access to the data was only given in severe criminal cases, against life or health of the people (so, no copyright cases!). This would actually be in line with the original intention of the law, fighting terrorism and the like ...The german department of justice actually has worked on a draft for a while to reintroduce the law, considering the complaints of the court. But the justice department is run by a politician from the civil liberties party The Free Democrats, so they are a bit reluctant to introduce it. The department of the interior of course wants a more drastic law (run by a christian democrat).

The weird thing about the whole process, this does in no way touch the topic of data the provider keeps for billing process. If your provider has your data on file anyway, it's still possible to obtain such, even for copyright processes.

I'd like to add something about the future process. As the Free Democrats in germany occupy the justice department and at large oppose such strict measures, I hope they make this a signature case fighting against the EC. The Free Democrats have been hard hit in opinion polls lately, many voters flocking to the Pirates and the Greens, which also oppose the law. So, fighting for voters and still being in a position of power, they could make this a signature case for civil liberties and internet freedom, a topic which many voters went to the Pirates for.

They won't be able to implement this in Romania with the current Constitution. The Constitutional Court has already decided that any law requiring automated mass archival of private communications is against the Constitution. We actually have an article in there declaring that private communications are secret.